In a conventional network topology, a stub network is the most complex, and computing resources are centralized in an enterprise. Recently, with the advent of cloud computing, large data centers, and the like, IT applications of an enterprise are gradually aggregated to form a super-large computing node. An existing network security product based on a single node cannot be deployed on a cloud computing center, a large data center, or an operator backbone network. In these cases, a requirement for performance, functionality, and reliability far exceeds a level of a conventional security product.
An operator is making transformation currently, that is, transforming from a single pipe to a smart pipe. During the transformation, the operator is required to smartly sense pipe content and smartly sense services, provide services for security, QoS (Quality of Service, quality of service), and value-added services, and based on data analysis, provide differentiated services for customers.
Under this background, a demand for technologies such as distributed processing and cluster processing is generated in the field of security and value-added services. By means of the distributed and cluster processing, multi-node stacking can be used to meet a demand of cloud computing, a data center, and an operator for security and value-added services, in a case that processing performance of a single node cannot be significantly improved.
FIG. 1 is a schematic diagram of a security and value-added processing system using a serial processing technology in the prior art. As shown in FIG. 1, to meet requirements for performance and functionality at the same time, currently, in a node such as an operator network or a large data center, a single-function security product with superb performance is generally purchased and serially deployed at a network egress.
Since an egress bandwidth of an operator network or a large data center will reach hundreds of Gbps in a near future, a current solution is: both security and value-added service products use single-function products with high performance, and a structure shown in FIG. 1 is formed, where products such as a firewall, a VPN (Virtual Private Network, virtual private network), a DPI (Deep packet inspection, that is, deep packet inspection) device, a URL filtering (URL Filtering) device, an antivirus wall, and a load balancing device are connected in series.
This solution has the following problems:
1. A computing capability is wasted: In the field of security and value-added services, much processing work is repeated work. For example, almost each security and value-added service product has an abnormal packet detection mechanism and performs analysis on each packet. In a case of a series connection, processing is actually required only once. However, in fact, each product of each manufacturer performs abnormal packet detection, so that the abnormal packet detection is performed repeatedly in a system, resulting in waste of a large amount of computing resources and decreasing processing performance.
2. A network delay increases: Each packet is processed by all devices, and a node is added when a device is added, and correspondingly, a delay of end-to-end processing increases, thereby decreasing network performance.
3. Single points of failure increase: Since devices are connected in series, each device becomes a point with a single point of failure. In a case that an operator or a data center has a very high reliability requirement, this networking mode brings a huge hazard. Meanwhile, if solutions such as hot backup and primary backup are used, it is sure that system complexity sharply increases and an investment cost largely rises.
4. In a serial networking mode, processing performance of an entire system is determined by a node with the lowest processing capability. In the serial mode, generally, processing capabilities, such as antivirus and content security, of a device can merely reach 1/10 of a conventional network firewall.
Therefore, in the field of high-performance computing, especially in a case that a cloud computing era has an extremely harsh requirement for a capacity and security of the system, the serial mode is not suitable.
Another idea in the technical field is: in a case that a processing capability of a single device cannot be improved, a method of parallel load balancing may be used, where each node is fully configured with functions, and a load balancing device is used, so as to achieve end-to-end high performance.
FIG. 2 is a schematic diagram of a security and value-added processing system using a load balancing technology in the prior art. In FIG. 2, each node is a device integrated with multiple security functions (generally referred to as unified threat management (UTM, Unified Threat Management) in the field). In this system, a load balancer is used to share traffic to each device.
This solution has the following problems:
1. Software complexity is too high: Since the load balancer cannot sense a service type, packet distribution can be merely based on traffic, and software functions of each node in load balancing are definitely required to be complete. This causes a serious problem, that is, when a device needs to implement many complex security and value-added service functions, performance, reliability and stability of the device sharply decrease. It is well known that, a characteristic of large software is that the more complex the software, the more difficult to achieve performance optimization and reliability optimization. Therefore, all functions are centralized on one device, but this architecture itself has defects. Therefore, this solution can merely meet a demand of low-end market, and cannot meet a requirement of a high-end product.
2. An upgrade is complex: An upgrade of each sub-function results in an upgrade of an entire system, which is not beneficial to smooth transition or capacity expansion.
3. Coupling of internal functions is strong: Since each device needs to implement all security and value-added service functions, functional modules are coupled to each other. Therefore, once a fault occurs, the entire system is affected. From a perspective of product engineering, it is difficult to achieve high quality and high reliability. For an application scenario of an operator and a data center, this solution is limited.
4. Function extension is difficult: Any UTM product cannot be fully configured with all security and value-added service functions. When a user needs to extend functions, it almost cannot be implemented on devices of one manufacturer, and a load balancing networking mode requires that each node should fully implement all functions, which is almost impossible in engineering.
Therefore, in the field, there is a demand for implementing high-performance processing, computing capability multiplexing and performance optimization, resilient network expansion, and flexible service deployment.